- From: <lists@ingostruck.de>
- Date: Wed, 13 Jun 2007 09:57:42 +0000
- To: Henrik Nordstrom <henrik@henriknordstrom.net>, Adrien de Croy <adrien@qbik.com>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Tuesday 12 June 2007 22:56, Henrik Nordstrom wrote: > Yes, due to the brokenness not all the security features of Digest can > be used (strict replay protection), Even that could be done at the cost of additional round trips. > but it's heaps better than Basic even without them.. > > Using TLS is often overkill, and requires much more administration to > get a certificate issued, installed etc. For me this is the principal argument of using digest auth. a) using TLS needs a cert which costs money and is overkill for some applications while on the other hand it is just grossly negligent to use basic over unencrypted connections b) (see my mail from 2007-06-08 to the list), the application of a restricted (semi-)public proxy naturally cannot use any sort of TLS-auth because it needs to tunnel encrypted connections Kind regards Ingo
Received on Wednesday, 13 June 2007 08:46:55 UTC